Saturday, April 11, 2009

Addressing the need to evolve

Been watching the 'net recently to see what's new? I have. Saw the MMPC write-up on Conficker.E recently, and it occurred to me that the authors of this bit of malware are really going out of their way to "protect" the systems they infect. After all, look at the list of process names that it terminates if found. Now, from that list, how many of those tools do YOU use when troubleshooting a system or performing incident response? How about dynamic malware analysis?

Okay, so this is nothing new is it? By "new", I mean the need to adapt our tools and techniques to the current environment and climate. Back in the day (or in the "Old Corps", as the case may be...), malware would maintain persistence by writing to the Registry, in particular, to the Run key. Once enough folks became familiar with that technique, then there was a move to maintain persistence via other Registry keys, including the Services keys. Then, to make things even more fun, the Services were added as randomly-named DLLs, loaded as part of SvcHost. We're even seeing WFP subverted or disabled, or bypassed completely by modifying "protected" files in memory only (as with Conficker.E, apparently). Oh, yeah, and while I'm off looking in the Registry for a persistence mechanism, some malware author is using Scheduled Tasks, instead.

This is all the continuing evolution of (cyber)warfare. Students of military history have seen this throughout the ages. Build a tank, then build an armament or weapon to take it out. Add armor to the tank, someone builds a missile. Reactive armor is added to the tank, and then a probe is added to the missile...and back and forth we go. The IR/CF world is really no different, as the same sorts of tactics are used.

It's never a good time to rest on your laurels. Just when you think you've got it licked and all wrapped up, that's when you know its time to change how you're doing things again.

1 comment:

Dave said...

I couldn't agree with you more regarding the evolution that's taking place. I made the exact same comment to my coworkers after ridding one of our BU's networks of conflicker. Coincidentally, I was reading "Windows Forensic Analysis" on the plane to and from that location.